1. The Threat

In this article, we'll focus on the initial communication with the Command & Control infrastructure.

2. The Check-In phase

At the time of the compilation of the malware, spreaders can choose a list of domains that will be hardcoded in the sample in an encrypted form.

For example, the following image shows 3 different domains uploaded into the memory of one of the variant that we analyzed.

The malicious agent tries to perform its initial communication with the first of the list, then, if it fails, it would try with the next and so on.

We underline that this "beacon" is always performed via plain HTTP while the following steps of communication are done via SSL encryption and custom certificates.

This is important because, with the right eye, even without SSL interception, we can pretty easily spot if something is going wrong.

The following image shows 3 different attempts to communicate with the C2 server in a sandbox environment.

If the pattern is not known, an untrained analyst could be misleaded by this behaviour while performing threat hunting on network logs or artifacts.

The file extension ".avi" refers to video files. Also, the path "/images/" is deceptive. In addition, it's performed as a "GET" request. All of this evidence could be seen as a normal download of a video file from a site hosting media.In fact it's the check-in of the malware that is sending basic information about the compromised machine, hiding them in plain sight in the URI path.

3. Encryption routine

The custom algorithm starts with a symmetric encryption that leverages the Serpent cipher in CBC mode and a null IV (initialization vector).

Afterwards the result is encoded with a classic base64. Considering that base64 encoding is pretty easy to spot, malware authors decided to change things a little more. They removed padding characters("=") and substituted the other special characters ("+", "/") with the relative ASCII code, after having prepended them by an underscore ("_2f", "_2b"). The last tweak is to add slashes at specified offsets to let the URI to appear like a real one.

Obviously, the Serpent encryption needs a key. We can find it hardcoded on the malware sample. Some code level analysis could be required to get that info.

However, observations led to the fact that the key is usually shared among a lot of samples and rarely changed.

If you don't have one, just run the script: it would try a predefined list of known keys for you.

It's really appreciated if you want to share new keys that you find with us. Feel free to contact us on Twitter or LinkedIn

4. Injected Internet Explorer? Or not?

While investigating the check-in phase, we noticed an unusual fact that we think it's worth to mention.

As you can see from the analysis of AnyRun, the malicious beacon seems to be sent by an Internet Explorer instance after the malware has run.

Considering that Ursnif is known to perform injection on browsers to steal information, an unaware analyst could think that the malware already decided to perform some form of memory injection into a new spawned instance of Internet Explorer to masquerade the communication as a legit one.

However this is unecessary. It's enough to use the COM (Wikipedia) library that is provided by Microsoft.Looking at the code, we can detect this behaviour with the finding of the function CoCreateInstance that were made just before the network communication.

This one is a stealthy way that could mislead both analysts and security products if it has not been taken in consideration.

If you like to have a more detailed explanation on COM and, in general, on how to detect malware C2 communications while reverse engineering, I suggest the following reading: FireEye Blog

Conclusions

Ursnif has been trying for years to make analysis difficult for people and detection for security products.

We went deep into the communication performed during the check-in phase and created a new tool to help to analyze and detect the malware.

Certego is actively monitoring every day threats to improve its detection and response methods, continuously increasing the effectiveness of the incident response workflow.